World Privacy Forum’s HIE Tips, Glossary, and FAQ for Patients

This FAQ, glossary, and tipsheet about Health Information Exchanges is designed to work in tandem with our HIE map and directory of California HIEs, available here. If you have questions about HIPAA beyond those answered here, please see our extensive resource, A Patient’s Guide to HIPAA.

FAQ 1: What is an HIE?

HIE stands for Health Information Exchange. An HIE allows medical records to be shared electronically. HIE relies on using networking technologies to enable your doctor to share records with another health care provider over the Internet, instead of by fax. As a result, doctors participating in an HIE may have a much more complete picture of your medical history to work from, even if they have only had limited or even in some cases, no previous contact with you as a patient. The way this can work is as follows: you live in the city of San Diego proper, but your favorite Saturday get-away is a beach in Northern San Diego County. While up north one day, you go to an emergency room to get stitches after a mishap. The idea is that due to the exchange of records within San Diego’s HIE, the Northern San Diego County emergency room will have the ability to see your health files from your downtown San Diego physicians in a fast, frictionless manner. The goal of HIE is to enable any provider or physician to treat you from as complete a record as possible. This can happen in a variety of ways, and how it happens will depend on the structure and size of the HIE your records are in.

FAQ 2: What gets exchanged in an HIE?

HIEs can exchange very small pieces of individual health records, like a lab test result, or they can exchange entire health files over a long period of time. In the past, individual doctors would keep your paper records in their office and that’s it. If they had a records request, they could mail or fax them to another doctor. But with the move to electronic records and HIEs, your treatment with individual doctors can be combined and merged to provide a more comprehensive record for all of them. So, your dermatologist can for example request all of your records from the various doctors you see, and vice versa. The idea is that anyone you see for treatment has a more complete medical history.

HIE in our materials stands for Health Information Exchange. HIE can also mean Health Insurance Exchange, as it is known under President Obama’s Insurance reform legislation.

FAQ 4: Quick Glossary of HIE terms

In our HIE materials, we refer to some terms unique to HIEs and health care. Here are brief definitions of these terms.

HIE Participants: Any medical setting where you can receive treatment that can share information through an HIE. This includes hospitals, practice groups, pharmacies, laboratories and imaging centers, medical clinics, and university medical centers.

Treatment records: The records or medical files of patients who have visited or received treatment from any participant in an HIE are included in some way in the HIE.

Master Patient Index (MPI): The “phone book” or directory that lists all of the patients in the system.

Record Locator System (RLS): Tells the HIE where each patient’s information can be found within the HIE or system.

Privacy Policy: All health care providers and HIEs will have a notice of privacy practices, sometimes abbreviated as “NPP.” Under federal privacy regulations, HIEs are required to disclose their privacy practices regarding patients’ protected health information. All HIEs now fall under HIPAA. For more about HIPAA, see our Patients’ Guide to HIPAA.

Names for HIEs: HIEs can go by many names. They can be called HIEs, ACOs (Accountable Care Organization), and more rarely, a RHIO (Regional Health Information Organization).

Opt in: An opt-in means that you must affirmatively choose to have your records exchanged in an HIE. If you do nothing, your records will be out of the HIE. You may choose to enter the HIE by exercising your opt-in choice.

Opt out: An opt-out choice means that some part or all of your health files are in an HIE by default. If you do nothing, your records will stay in the HIE. You may choose to stop this by exercising your opt-out choice.

FAQ 5: What is different about my records in an HIE? Isn’t it the same as sending records via Fax?

Health care providers have always shared health records. Most recently, faxes and postal mail were the most popular methods of sharing, and sharing was usually done on a case-by-case basis. HIEs, however, allow healthcare providers to share the health records of all of their patients, and do this securely via online technologies.

HIEs are essentially an administrative hub. They receive requests for patient records. They check to see if the patient exists in the whole system, and if so, where those records are located. A Master Patient Index identifies patients in the system and a Record Locator System finds their records; both are a function of HIEs. Some HIEs operate on the model of not retaining any records in the administrative hub. They just point to where the records are, or they can transmit the record. Another possibility is that the HIE retains a copy of all of the records in what’s called a central repository. In that case, it would get a request from a provider, find the whole record, and then send that record to the requester.

A major feature of HIEs is their ability to share records on a much larger scale than one fax at a time. They can also accommodate a much greater diversity of health care participants at one time. HIEs can include very small clinics, or very large statewide or even regional hospital and medical practice groups like Kaiser, Sutter, and Sharpe. With very large groups, all of the exchange may just be internal to that organization.

However, exchanges between smaller separate organizations that require the assistance of an intermediary are typically just called HIEs. The entity facilitating the exchange is called the HIO.

In all systems, what they have in common is that they are using a Master Patient Index and a Record Locator System to identify patients and find all of their records across many systems. The MPI and RLS are what truly distinguish HIEs from a hospital just sending faxes one patient at a time to another health care provider.

FAQ 6: Does my doctor share my records in an HIE?

As of this writing, not all health files are exchanged in HIEs. To find out if your doctor is sharing your records in an HIE, you will need to request a privacy policy or Notice of Privacy Practices (NPP) from the health care provider who is treating you. Look for these kinds of terms in the policy:

Participant in an exchange

Facilitate electronic sharing

Electronic transfer of protected health information

It is also helpful to ask a medical records manager if there is an electronic records exchange or HIE in place. In some cases, there will be an extra privacy notice just for the exchange itself. We know of at least one HIE that is scheduled to be operated by insurers, so be sure to ask your health plan if it is participating in an HIE or sharing your claims data in an HIE.

FAQ 7: Do I have to give permission for my health records to be in an HIE?

A health care provider does not need your permission to share your medical information for treatment purposes within an HIE, just as a doctor does not need permission to send your records via fax to another doctor for treatment purposes. This is true even if your health record is going to a doctor you have never met before. The idea is that this information is shared only when necessary and only for treatment purposes. However, some HIEs, recognizing that HIEs involve many more patients and new methods of sharing, do give patients the ability to opt out of the HIE. If you do not want your health records exchanged with other doctors or hospitals beyond your original point of treatment, you will need to make this request. Currently, HIEs that let you opt out will usually only let you opt out of the entire HIE, you are usually not able to pick and choose doctors in the system to receive or not receive access to your files. It’s typically an “all in” or “all out” choice. There are some exceptions to this, so it is best to ask your health care provider and HIE. If you do opt out of having your information shared, be aware that if the HIE has shared your information to a doctor or hospital, that information may still be there, depending on how the HIE is set up.

FAQ 8: Privacy risks and complications of HIEs

Privacy sensitivity varies widely among patients. Some people will not have a second thought about sharing health information in an HIE ­ they will want their information shared despite any risks just to be safe medically. Others will be less comfortable with the privacy risks.

The privacy risks of an HIE generally include issues such as:

The security of the system: the best HIEs are extremely secure, but in general, when many records are in one place and there are many points of access, security can be compromised or simply become more challenging to manage.

The spread of your health information over many locations: some people will want to restrict which doctors can have access to their health file.

The accuracy and completeness of the records: Medical records can contain errors. If erroneous records are exchanged the error gets multiplied.

Requesting all copies of your medical records via an HIE has many hurdles and HIEs are not obligated to assist you, though many do.

Correcting records can be a complication in some cases: sometimes the only way of correcting all of the files is to delete every copy and start over. It can be a long and labor-intensive process.

Restricting portions of the file: Some individuals will be uncomfortable having doctors not known to them see all of their information, past or present. Also some will prefer to keep some information in their file segregated from some doctors. There can be many reasons for this, including sensitive medical or mental conditions that may not be known to all doctors a patient sees. For example, an eye care doctor may never have had access to alcohol and drug treatment records outside an HIE. But in an HIE, they may acquire a broader picture of your health treatment. This is generally seen as a positive for treatment, but not everyone is comfortable with it.

FAQ 9: Who should make requests to see health files in an HIE?

Not everyone needs to request all of the copies of their records that have been exchanged in an HIE. There are, however, some categories of people who are more likely to need to make this kind of a request.

The people who most need this information are victims of identity theft, including medical forms of identity theft. If this pertains to you, you do need to know every instance where all or part of your record has been shared.

If you are concerned about which doctors have what parts of your cumulative or longitudinal records, you may also want to make a more comprehensive request.

If you believe that you have one or more errors in your health file, you are a good candidate for making a request.

Or, if you are extremely curious, you can also still make the requests, but be aware that requesting copies of a full HIE record can be very time-consuming, depending on how large the HIE is, how long it has been operating and how it disperses records.

FAQ 10: How to find the HIEs your information has been exchanged in

Begin any process of HIE discovery with your health care provider. It will likely be your health care providers who are able to let you know if your records have been exchanged, and if so, where. It would be very unusual to contact an HIE first and have the exchange confirm the either the presence of your records or who has requested and received them.

First, request the privacy notice from your health care provider, sometimes called the Notice of Privacy Practices or NPP. Each HIPAA-covered entity (like your doctor or a hospital or pharmacy) must provide a copy of its privacy notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

After you have the policy in hand, read or search the notice for any mention of “health information exchanges” or electronic sharing of records. In an ideal world, any health care provider participating in a HIE will note the name and contact information of the HIE right in the privacy notice, and discuss your sharing options.

If there is any confusion at all, be persistent and ask your health care provider directly about HIEs. You may need to go to an administrator or the medical records office for a full answer. A best practice for a health care provider is to tell patients up front and in writing that they participate in one or more HIEs.

Another step to take is to look on the WPF HIE map to find the name of your health care provider in California. To do this, scan the text list on the map. If your health care provider is listed under an HIE, you will find the HIE name, HIE web site phone number, and other details as available.

For a very detailed search of entities with which your information has been shared, make a request for an Accounting of Disclosures. See FAQ 11.

FAQ 11: How can I request a detailed disclosure history of my health records in an HIE?

To be as thorough as possible about seeing where your health records have been sent, you can request an accounting of disclosures. An accounting of disclosures is a right given to patients under HIPAA. An accounting of disclosures is really just a partial history of where your information has been disclosed.

Under current HIPAA regulations, specifically, an accounting of disclosures for an individual is a record of:

The date of the disclosure;

The name of the person or entity who received the information;

A brief description of the information disclosed;

A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure).

Keep in mind that the current regulations do not require a covered entity, most likely your doctor or a hospital where you’ve been treated, to account for disclosures related to your treatment, medical bills or for their routine business purposes. Eventually, these kinds of disclosures will also have to be accounted for, but it’s unclear when the new rule requiring it will be final.

To make a request for an accounting of disclosures, ask your health care provider for a copy of their privacy policy, also called a Notice of Privacy Practices or NPP. Each HIPAA-covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

Follow the directions in the notice for making a request. You might be asked to write a letter or fill out a form in order to make your request for disclosure The covered entity must act on a request for an accounting of disclosures within 30 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.

FAQ 12: How to request all of your medical records that have been exchanged in an HIE

The general procedure for requesting a copy of your medical records that have been exchanged in an HIE will begin with getting a copy of your records from the original health care provider who treated you. There are many good reasons to have a current copy of your health file, and WPF encourages Californians and all patients to have a good baseline health file on hand. It can be a key tool in assisting with medical ID theft, among other benefits.

To make a request for a copy of your health file, ask your health care provider for a copy of their privacy policy, also called a Notice of Privacy Practices or NPP. Each HIPAA- covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

Follow the directions in the notice for making a request. You might be asked to write a letter or fill out a form in order to make your request. If your file is extensive, you may request just portions of it. The covered entity must act on a request for a copy of your records in 30 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.

If your health care provider also participates in an HIE, to get copies of your health files specifically from an HIE (assuming that your HIE retains records), you will need to follow the written process of getting a copy of your record. This process will be stated in the privacy policy, or Notice of Privacy Practices (NPP) of either your provider or the HIE. In some cases, a request to your health care provider will be the only step you need to take. In others, you may also need to follow an additional process set by the HIE. The NPP will give you that information.

Please note that even if your health care provider participates in an HIE, the HIE may or may not retain copies of your records. The operating models of HIEs can vary dramatically, with some HIEs keeping files, and others not.

Remember:

Requests will need to be made in writing.

Some providers will allow you to request your records through a secure patient web portal for which you already have a user ID and password.

Providers have 30 to 60 days to supply your record.

There may be a small charge for records.

Some HIEs may require an extra step for a request.

FAQ 13: How to correct your medical records in an HIE

If you have requested and received a copy of your health care file from your doctor, and you find mistakes or errors, you may wish to correct those files. After you have obtained your record (See FAQ 12), first determine if your provider has exchanged your records in an HIE. (See FAQ 10.) Determining this will let you know where and if you need to request corrections beyond your original health care provider. If you discover that an HIE has distributed incorrect information in your health files, you will need to contact the HIE and ask for specific instructions. What happens next depends on the policy of the provider and the HIE. There are a variety of ways they could amend, correct or remove the material.

Some HIEs will allow you to remove records from HIE circulation by opting out of the HIE.

HIPAA rules will apply to all individual providers. Individual providers can do the following things with a deletion or change request:

amend

change

delete (rare)

segregate the information

In cases of medical ID theft, erroneous records are usually handled a little differently. Often, the incorrect information is completely segregated from any records with your name.

FAQ 14: Can I remove my records from an HIE?

After a health record has been created and exchanged via an HIE, how your record is managed in that HIE is going to vary considerably. Generally speaking, it is rare for any health care provider to outright delete a health file. Health providers often will keep a record for a minimum of 7 years for insurance and other purposes. That being said, some HIEs will allow you to opt-out of sharing or exchanging your files in the HIE. As part of that, you can make a request for record removal from the HIE itself. Some HIEs will allow this. Other HIEs will not allow an opt-out, and some HIEs will not facilitate any record removal whatsoever. Remember that an HIE is an organization that facilitates record sharing among health care providers for treatment purposes. The health care provider where you received treatment will retain a copy of your health file, even if you do have the ability to remove your record from an HIE.

FAQ 15: What if my health care provider won’t delete my records?

This can happen at any health care provider, and is actually a function of HIPAA, not HIEs. Your ability to delete a record will depend on the policy of the health care provider that holds the record. It is very rare and unlikely that a health care provider will delete your treatment record. Some HIEs may allow you to opt out of sharing or exchanging beyond the health care provider who gave you the treatment originally, but this is highly variable. See FAQs 13 and 14.

FAQ 16: Guided Tour of How to Use the HIE Map and how an HIE process could work

Walking through San Diego Beacon HIE

If you live in California, your records may be in an HIE. You may not know this. In fact, if you live anywhere near one of the pins on the HIE map, this may be true of you. In this example, we’ll show you step by step how to work with the map and the HIE. Using the example of the San Diego area, on the map, you can see a green pin on the San Diego region. Clicking on that brings you to the San Diego Beacon HIE. The text about San Diego Beacon has a link to the HIE’s web site, and tells you that the HIE includes the following health care participants, each of which is a provider you could potentially go to for health services:

Kaiser for Southern California

Children’s Primary Care Medical Group

Rady Children’s Hospital

UCSD Health System

VA San Diego Health System

If you receive care from any one of these providers, then your records are part of the San Diego Beacon HIE system, which is a system separate from the individual health care providers. San Diego Beacon HIE has a web site with a FAQ that describes how records work in its system.

Here is a brief section of that FAQ:

How does San Diego Beacon exchange work? With your written consent, a participating doctor who is providing you with care will request your personal health information from other healthcare facilities through San Diego Beacon (Exchange) web portal.

Participating healthcare facilities with electronic personal health information about you will then transmit that information to the Exchange. The Exchange will then display that information, such as hospital discharge summaries, clinic notes, laboratory and radiology results, medications and allergy lists, for the doctor to view. No personal health information will be stored outside of the providers’ or other healthcare facilities’ electronic medical records systems.

The Exchange only stores patient identifiers and pointers to different medical center or medical group electronic health record systems that contain a specific patient’s information. All personal health information will be transmitted across the health information exchange in a safe and secure manner. Once your doctor has taken care of you, your personal health information is removed from the Exchange.” (From: http://www.sandiegobeacon.org/patients/faqs)

San Diego Beacon also describes how your consent is handled in its system. For the Beacon HIE, the default is that your records are available for emergency purposes unless you have withdrawn consent, or unless you have given consent for broader access.

On its Web site, Beacon’s FAQ states:

“What are the different levels of consent in the San Diego Beacon exchange? The three different consent levels in the San Diego Beacon exchange are:

*Full consent: a patient’s medical records can be accessed by any doctor during a medical encounter.

*Emergency consent: a patient’s medical records can only be accessed by a doctor during an emergency.

*No consent: a patient’s medical records cannot be accessed under any circumstances, not even during an emergency. If you have not provided consent for the San Diego Beacon exchange, the default consent status is “emergency consent.”’ (From http://www.sandiegobeacon.org/patients/faqs)

In our HIE example, if a patient goes to the emergency room at Rady Children’s Hospital and receives stitches to her right foot, Rady will create a medical record for her of this visit. Rady is part of the San Diego Beacon HIE. This means that if this patient goes to the UCSD Health System for emergency treatment the next summer, then the information from her Rady visit will be accessible by this hospital, as well as the others in the HIE as needed.

If the Rady patient wanted to know if Rady was part of an HIE, she would ask Rady for their privacy notice, and also ask the medical records department if Rady was part of an exchange. If the patient wanted all of the records available through the HIE, she would start at Rady ­ because she was treated there – and request those records. Then she would then request the records of the UCSD system where she also had treatment.

The patient could also contact the Beacon HIE and ask them if they had any additional records, but based on the FAQ, the HIE does not keep any records itself.

To make corrections to her health records, the patient would submit a written request for amendment to Rady and to UCSD. The outcome of the request would then depend on the policy of each individual partipant in the HIE.

If this patient wanted to, she could exercise her different consent options and say no to any exchange of her records, or tell the HIE that she wanted her whole medical file exchanged.

Remember: each HIE has a slightly different structure, which ideally should be explained in its privacy policy and/or web site.

To score is human. Ranking individuals by grades and other performance numbers is as old as human society. Consumer scores — numbers given to individuals to describe or predict their characteristics, habits, or predilections — are a modern day numeric shorthand that ranks, separates, sifts, and otherwise categorizes individuals and also predicts their potential future actions. This new report by Pam Dixon and Robert Gellman explores this issue of predictive scores and privacy.

This Jan. 30, 2014 report discusses a new right to restrict disclosure of health information under the updated HIPAA health privacy rule. The new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure” gives patients the right to request that their health care provider not report or disclose their information to their health plans when they pay for medical services in full. Navigating the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how patients can use it to protect health privacy.

This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. Report authors: Bob Gellman and Pam Dixon.